Skip to content

Add Service Principal Role Assignments to Groups

Go to Automation: (Add Job Template URL here)

View in GitLab

Description

This playbook links existing App Roles of an Entra ID (Azure AD) Application / Service Principal to Azure AD groups. It: - Resolves the target application either by AppDisplayName or explicit app_id. - Retrieves Service Principal details and its exposed App Roles. - Accepts a multiline variable (role_groups) where each line maps an App Role to a group (format: RoleDisplayName;GroupDisplayName). - For each mapping it locates the App Role and the Azure AD group and (PowerShell script section – omitted in source) creates the role assignment if missing.

Credentials

Uses a PasswordState stored Service Principal credential (different for production vs. onderwijs/education tenant): - Sys_Azure_AppRegs_PR (production) - Sys_Azure_OND_Admin (onderwijs)

Inputs

Variable Description
AppDisplayName Display name of the target App Registration (used if app_id not provided).
app_id Application (client) ID; overrides AppDisplayName lookup when provided.
role_groups Multiline string; each line: RoleDisplayName;GroupDisplayName.
onderwijs 'yes' to switch to onderwijs tenant/subscription, else 'no'.
task (Optional) External task / ticket reference.
azure_tenant Default tenant ID (overridden when onderwijs == 'yes').
tenant_name Default tenant primary domain (overridden for onderwijs).
subscription_id Azure subscription ID (changes with onderwijs).
ansible_url Reference URL for Ansible controller (informational).
pws_ivanti_api_key Ivanti API key label (not directly used in this play).

Role Group Mapping Format

Example: 

Reader;AZ-SPN-Readers
Writer;AZ-SPN-Writers
Custom Processor;AAD-Custom-Processors

Outputs

  • Debug of parsed role_group_assignments (list of objects with role_name, group_name).
  • PowerShell script output (JSON array) summarizing success/failure per assignment (depending on script section not shown in truncated source).

Idempotency

  • Only processes valid non-empty role lines.
  • Skips assignment creation if role or group not found (script expected to handle gracefully).

Dependencies / Modules

Component Purpose
azure.azcollection.azure_rm_adapplication_info Look up App Registration.
azure.azcollection.azure_rm_adserviceprincipal_info Retrieve Service Principal and roles.
d09.passwordstate.passwordstate_password_fact Secure retrieval of credentials from PasswordState.
ansible.windows.win_powershell Executes Graph-based PowerShell (Connect-GraphService & role assignment logic).

Custom helper functions (Connect-GraphService, Get-MgServicePrincipalByAppId, etc.) must be available on the delegated Windows host.

Error Handling

  • If Service Principal not found the script block exits with code 1 (failure).
  • Missing roles or groups are individually reported (lines omitted in source).

Example Invocation (Extra Vars)

AppDisplayName: MyBusinessAPI
role_groups: |
  Reader;AZ-SPN-Readers
  Writer;AZ-SPN-Contributors
onderwijs: 'no'

Notes

  • Provide either AppDisplayName OR app_id. If both provided with non-empty values the logic favors app_id lookup path.
  • Ensure groups already exist; this playbook does not create Azure AD groups.